A wireless network vulnerability assessment checklist

Wireless Security Lunchtime Learning AN INTRO TO WIRELESS SECURITY LESSON 1: HOW TO COUNTER WIRELESS THREATS AND VULNERABILITIES VIDEO: UNDERSTANDING WI-FI THREATS TIP: A LIST OF WIRELESS NETWORK ATTACKS TIP: ROGUE DEVICES LESSON 1 QUIZ

Vulnerability assessments can help you find and fix WLAN weaknesses before attackers take advantage of them. But where do you start? What should you look for? Have you covered all the bases? This checklist will help to answer these questions.

1. Discover nearby wireless devices
You can't assess your WLAN's vulnerabilities if you don't know what's out there. Start by searching for wireless devices in and around your office, creating a foundation for subsequent steps.

Which 20 and 40 MHz channels have active traffic in the 2.4 GHz band?
Which 20 and 40 MHz channels have active traffic in the 5 GHz band?
Are there sources of non-802.11 interference in these frequency bands?

For each discovered 802.11 access point, document:

Media Access Control (MAC) address
Extended service set identifier (ESSID)
Channels
Average/Peak signal-to-noise ratio (SNR)
Type (i.e., 802.11a, b, g, or n)
Beaconed security parameters (i.e., WEP, TKIP or AES-CCMP)
Beaconed quality of service parameters (i.e., WMM access classes)
Approximate location and probable owner

MAC address
Associated ESSIDs
Type (i.e., 802.11a, b, g, or n)
Associated AP(s) or peer station(s)
Average/Peak SNR
If visible, 802.1X identity
Approximate location and probable owner

3. Test your own access points
Next, turn you attention to your own WLAN resources, starting with the APs that deliver wireless services to your users. Those APs are located in a network that may contain both trusted and untrusted devices. As such, they should be subjected to the same penetration tests that you run against perimeter firewalls and access routers that face the Internet. Questions that you should try to answer about each AP include the following:

Is the AP running the latest firmware and security patches?
Has the factory default ESSID been changed?
Has the default administrative login/password been changed?
Is the administrative password easily cracked?
Are stronger authentication options available (e.g., embedded 802.1X)?
Are there any unnecessary ports open (e.g., Telnet, HTTP, SNMP, TFTP)?
Are those open ports vulnerable to known exploits?
Are encrypted administrative interfaces available (e.g., SSH, HTTPS)?
Have security alerts or logs been enabled (e.g., syslog, traps)?
Have filters been used to prevent unauthorized protocols (e.g., ARP, RIP, SNMP, NetBIOS) from propagating through the AP into the wired network?
Are filters available/used to block user-to-user wireless?
Is the AP using the right ESSID, channel and 11b/g protection?
Are its security parameters consistent with defined policy?
If the AP is using WEP, is it emitting any known weak initialization vectors (IVs)?
Is the AP emitting any known weak initialization vectors (IVs)?
If the AP is using a PreShared Key (PSK), is it easily cracked?
If the AP is not using WPA2 (AES only), can it be upgraded to do so?
Can the AP withstand simulated 802.11 DoS attacks (e.g., Authenticate floods)?

Is the station running the latest OS and application security patches?
Is boot or OS authentication used to prevent lost/stolen/unintended use?
Are current antivirus and antispyware programs running?
Is the wireless interface protected by a personal firewall?
Are there unnecessary ports open (e.g., netbios-ns/ssn, microsoft-ds, ssdp)?
Are there unnecessary protocols bound to wireless (e.g., file/printer sharing)?
Are potential wireless intrusions (e.g., blocked sessions) being logged?
Is the wireless client willing to associate to ANY network? ANY Ad Hoc?
Is the client automatically re-associating with home or hotspot SSIDs?
Are there wireless user credentials (e.g., passwords) saved on disk?
Is the station scanning the right bands/channel widths for the right ESSID(s)?
Are its security parameters consistent with defined policy?
Is the class of traffic that it sends consistent with QoS expectations?
Is the station simultaneously connected to wired and wireless networks?
Is the station emitting any known weak IVs?
If the station is using 802.1X, is its identity visible?
If using 802.1X, is it using a vulnerable EAP type (e.g., LEAP)?
If using 802.1X, is it checking the server's certificate?
If not using WPA2 (AES), are upgrades available to do so?
If a VPN client is used over wireless, is it configured properly?

Like your APs, all of these devices should be subject to the same penetration tests normally run against Internet-facing servers. For example, captive portals should be subject to tests normally run against a DMZ Web server, including tests designed to assess that program/version for known vulnerabilities that may need to be patched.

Most infrastructure tests are not specific to wireless, but additional tests may be appropriate for 802.1X infrastructure. For example, you may wish to test your RADIUS server's ability to gracefully reject badly-formed EAP messages, including bad EAP lengths and EAP-of-death.

6. Apply your test results
Unfortunately, no checklist can help you with this final step. It's time to review your test results and assess the vulnerabilities you may have uncovered. Eliminate vulnerabilities where possible, and narrow the window of opportunity for exploiting the rest. For example, if you found Telnet on your APs, decide whether and how to disable that service. Can you use SSH instead of Telnet to administer your APs? Can you restrict SSH to Ethernet so the daemon can't be probed over wireless?

Once you've applied fixes, repeat tests to verify the result is now what you expected. Ideally, vulnerability assessments should be repeated at regular intervals to detect and assess new wireless devices and configuration changes. Also look for opportunities to automate your tests, making them faster, more consistent and more rigorous.

>> Read the next tip: Hunting for rogue wireless devices

BROWSE BY TAG Wireless Network Security: Setup and Tools,   Wireless LAN Design and Setup,   Enterprise Network Security,   Wireless Network Protocols and Standards,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless LAN Design and Setup A list of wireless network attacks Wireless Security Lunchtime Learning An introduction to wireless security Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business Lesson 1: How to counter wireless threats and vulnerabilities Hunting for rogue wireless devices Wireless Security Lunchtime Learning Entrance Exam Study reveals lack of financial wireless computer security Cisco corrects serious Wireless LAN flaws Wireless LAN Design and Setup Research Wireless Network Protocols and Standards Wireless Security Lunchtime Learning An introduction to wireless security Risky Business: Understanding WiFi threats Lesson 1: How to counter wireless threats and vulnerabilities Lesson 1 quiz: Risky business Wireless Security Lunchtime Learning Entrance Exam Study reveals lack of financial wireless computer security Preparing enterprise Wi-Fi networks for PCI compliance Cracks in WPA? How to continue protecting Wi-Fi networks RSA survey finds rapidly growing LAN deployments

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary evil twin  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary